Method of operating a system on chip comprising a bootable processor

(19)

(11)

EP 3 046 024 A1

(12)	EUROPEAN PATENT APPLICATION

(43)	Date of publication:
	20.07.2016 Bulletin 2016/29

(21)	Application number: 15464003.1

(22)	Date of filing: 15.01.2015

(51)

International Patent Classification (IPC):

G06F 9/44^(2006.01)

G06F 21/57^(2013.01)

(84)	Designated Contracting States:
	AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
	Designated Extension States:
	BA ME

(71)	Applicant: Siemens S.R.L.
	062204 Bucuresti (RO)

(72)	Inventor:
	Pitu, Ciprian-Leonard 500371 Brasov (RO)

(74)	Representative: Fierascu, Cosmina-Catrinel et al
	Rominvent SA 35 Ermil Pangratti Street Sector 1 011882 Bucharest 011882 Bucharest (RO)

(54)	Method of operating a system on chip comprising a bootable processor

(57) The present invention relates to a method of operating a system on chip comprising a bootable processor (10), the method comprising the steps of: executing a bootloader and measuring electrical power consumed by the processor (10) during booting in order to derive a unique power characteristic data; verifying the unique power characteristic data; and reconstructing an device key out of the unique power characteristic data and helper dater derived during an enrolment (21) of the system on chip. The measured power trace of the processor (10) constitutes a unique signature of the SoC device running specified software. Thus, the solution secures the running software by itself.

Description

[0001] The invention relates to a method of operating a system on chip comprising a bootable processor. The invention also relates to a system on chip for implementing the method.

[0002] A system on chip (SoC) is an integrated circuit that integrates components of a computer or other electronic system into a single chip. It can be subject to attacks during which original software is replaced or changed.

[0003] Currently there are different approaches for securing memory content. A well known solution is data encryption, whereas the memory's content is encrypted and cannot be decrypted without the correct key. The same key is used to encrypt any firmware loaded on-chip. If the key leaks or if the SoC's storage is read out this type of protection becomes obsolete.

[0004] The publication WO 2012/099657 A2 relates to intrinsic security, which relies on physical features of a silicon device. These features are used to uniquely characterise the device. By using this method the manufacturing imperfections are exploited yielding a device-unique identification characteristic which can be used to derive a cryptographic key. This solution is highly secure, but requires extensive engineering and resources.

[0005] It is an object of the invention to provide an improved method for protecting confidential information on a system on chip.

[0006] The invention provides a method of operating a system on chip comprising a bootable processor, the method comprising the steps of:

executing a bootloader and measuring electrical power consumed by the processor during booting in order to derive a unique power characteristic data;
verifying the unique power characteristic data; and
reconstructing a device key out of the unique power characteristic data and helper dater derived during an enrolment of the system on chip.

[0007] The measured power trace of the processor constitutes a unique signature of the SoC device running specified software. Thus, the solution secures the running software by itself. There are no on-chip stored secrets; from the helper data alone there is no possibility to compute the device key respectively encryption key or the power characteristics.

[0008] An improved method further comprises subsequent to the reconstruction of the device key: decrypting software, which is encrypted with the device key and stored on memory; and executing the decrypted software. Thus, the method is used to characterise preloaded software on a SoC device.

[0009] In a preferred embodiment of the method the verification of the unique power characteristic data is performed by comparing a check sum of the derived power characteristic data with a check sum generated during enrolment of the system on chip. This validation of the power characteristics instantly reveals an interference of the bootlaoder.

[0010] In case of falsification a reset signal is generated in order to reset the processor. Thus, an attack stops before memory data can be read out.

[0011] Furthermore, it is advantageous, if the bootloader is re-executed after reset of the processor for a determined number of repetitions. In case of a singular problem this measure allows normal operation of the SoC after an automatic restart.

[0012] If a problem endures, it is advantageous, if the SoC is blocked after executing the determined number of repetitions. Thus, no further manipulations respectively attacks are possible.

[0013] As an optional measure a security alarm is reported after executing the determined number of repetitions. Additionally, for a high risk application it is advantageous, if the memory of the SoC is erased after executing the determined number of repetitions. This prevents any type of unauthorised access to secure data.

[0014] During enrolment of the SoC, booting is preferably executed in a loop in order to obtain a number of samples of the measured electrical power consumed by the processor. This data collection allows a better verification of the power characteristic data (after enrolment).

[0015] A proposed system on chip, which is set up to implement one of the methods described above, comprises a processor unit, which comprises: a processor as such; an ADC for converting a measured power trace into digital data; a power characterisation module for generating a power characteristic data out of the power trace digital data; an enrolment module; a storage to store helper data and validation data, which is particularly a check sum of the power data; and a trace validator and key reconstructor module.

[0016] By adding basic hardware components, inaccessible for the end-users, the software running on the SoC is characterised by the power trace. The analog-to-digital converter (ADC) and the power characterisation module achieve a fast and easy enrolment and reconstruction of the power characteristics. The boot process is not hindered or slowed down as the power characteristics are generated in parallel with the bootloader being executed.

[0017] In a specific embodiment the processor unit is connected to a system bus, a clock and reset unit and a memory controller.

[0018] Furthermore, the enrolment module is physically disabled subsequent to the generation of the helper data.

[0019] These and other aspects and advantages will become more apparent and more readily appreciated from the following description of the exemplary embodiments, taken in conjunction with the accompanying drawings of which:

Fig. 1: is a SoC device structure
Fig. 2: is a processor unit of fig. 1
Fig. 3: is a block diagram of an enrolment process
Fig. 4: is a block diagram of a reconstruction process

[0020] Figure 1 shows a SoC device with a processor unit 1, which is connected to a system bus 2. Additionally, a clock and reset unit 3 and a memory controller 4 are connected to the processor unit 1 and to the system bus 2. Further components of the SoC are a memory 5, a DMA controller 6 and diverse peripheral components 7, 8, 9...n, which are also connected to the system bus 2.

[0021] The processor unit 1 is shown in detail in figure 2. It comprises the processor 10 as such, which is connected to a power source via a shunt resistance 11. The voltage drop at the shunt resistance 11 is measured by an ADC 12, which converts the measured power trace into digital data. The ADC measures only the power consumption of the processor 10.

[0022] Furthermore, a power characterisation module 13 generates power characteristic data out of the power trace digital data. Thus, the power characterisation module 13 evaluates the power trace and determines a chip-unique pattern, which reflects the executed software and the physical characteristics of the particular device that is executing the software.

[0023] Attached to the power characterisation module 13 an enrolment module 14 is used during the enrolment phase. It generates helper data, using the power characterisation data and an encryption key provided by the manufacturer. The helper data is stored in a non-volatile storage 15.

[0024] For the reconstruction phase a trace validator and key reconstructor module 16 is arranged. It receives the power characterisation data from the power characterisation module 13 and reads the stored helper data in order to reconstruct the original key.

[0025] If the power characterisation data is valid, the trace validator and key reconstructor module 16 sends a system-validate-signal 17 to the clock and reset module 3 and the reconstructed device key 18 to the memory controller 4. Additionally, an execution-enable-signal 19 is sent to the processor 10.

[0026] In case of a falsification the trace validator and key reconstructor module 16 sends a reset-signal 20 to the processor 10. For this purpose check sum verification is performed.

[0027] During enrolment, which is shown in figure 3, the manufacturer of the SoC or a software developer loads the bootloader on-chip. Enrolment 21 starts with triggering the enrolment module 14. As a result the processor 10 executes the bootloader in loop. For this purpose a counter c is used. Each time the bootloader is executed power characterisation 22 takes place. Power trace is measured by the ADC 12 and processed by the power characterisation module 13.

[0028] At the end of the enrolment phase, when the enrolment counter c is equal zero, the enrolment module 14 executes the enrolment process 24 as such. The averaged power characteristic data and a provided device key 23 are used to generate the helper data. Storing 25 of the helper data is the last step before the enrolment module 14 is disabled physically.

[0029] Normal operation is shown in figure 4. The SoC is powered on and reconstruction 26 starts with the execution 27 of the bootloader. The boot process is the first step in starting a silicon device and is executed directly after power-on. It initializes the SoC into a predefined state, allowing it to further load more complex software. Therefore, the first security problem is the bootloader; if it gets compromised, then the pyramid of trust cannot be set up.

[0030] The ADC 12 measures the power trace and the power characterisation module 13 generates the power characteristic data. Parallel to this generation 28 of the power characteristic data the reading 29 of the helper data is performed. During the reconstruction process 30 as such the trace validator and key reconstructor module 16 uses the power characteristics and the helper data to validate the executed bootloader and to generate the device key. The validation 31 either results in decrypting and executing 32 software or in resetting 33 the processor 10.

[0031] If the power characteristics data is valid, the execution of the software is also validated by using the power characteristics and the helper data respectively the device key.

[0032] In case of a mismatch, due to security attacks (e.g. changed bootloader, changed instruction or code sequences inside the original bootloader, etc.), the trace validator and key reconstructor module 16 resets the processor 10 and re-executes the bootloader.

[0033] After a number of unsuccessful bootloader executions different actions take place, depending on the desired strategy. These actions could be preventing the SoC from starting up, reporting security alarms, erasing the entire memory, etc.

Claims

1. A method of operating a system on chip comprising a bootable processor (10), the method comprising the steps of:

executing a bootloader and measuring electrical power consumed by the processor (10) during booting in order to derive a unique power characteristic data;

verifying the unique power characteristic data; and

reconstructing a device key out of the unique power characteristic data and helper dater derived during an enrolment (21) of the system on chip.

2. The method according to claim 1, further comprising after reconstructing the device key:

decrypting software, which is encrypted with the device key and stored on memory (5); and

executing the decrypted software.

3. The method according to claim 1 or 2, whereas the verification of the unique power characteristic data is performed by comparing a check sum of the derived power characteristic data with a check sum generated during enrolment (21) of the system on chip.

4. The method according to claim 3, whereas in case of falsification a reset signal is generated in order to reset the processor (10).

5. The method according to claim 4, whereas the bootloader is re-executed after reset of the processor (10) for a determined number of repetitions.

6. The method according to claim 5, whereas the system on chip is blocked after executing the determined number of repetitions.

7. The method according to claim 5 or 6, whereas a security alarm is reported after executing the determined number of repetitions.

8. The method according to any one of claims 5-7, whereas the memory (5) of the system on chip is erased after executing the determined number of repetitions.

9. The method according to any one of claims 1-8, whereas during enrolment (21) of the system on chip booting is executed in a loop in order to obtain a number of samples of the measured electrical power consumed by the processor (10).

10. A system on chip, which is set up to implement the method as claimed in one of claims 1 to 9, with a processor unit (1) comprising:

a processor (10) as such;

an ADC (12) for converting a measured power trace into digital data;

a power characterisation module (13) for generating a power characteristic data out of the power trace digital data;

an enrolment module (14);

a storage (15) to store helper data and validation data, which is particularly a check sum of the power data; and

a trace validator and key reconstructor module (16).

11. The system on chip according to claim 10, whereas the processor unit (1) is connected to a system bus (2), a clock and reset unit (3) and a memory controller (4).

12. The system on chip according to claim 10 or 11, in which the enrolment module (14) is physically disabled subsequent to the generation of the helper data.

Drawing

Search report

Search report

Cited references

REFERENCES CITED IN THE DESCRIPTION

This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description

WO2012099657A2 [0004]